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The Chief Executive 
All Authorized Institutions 


Dear Sir/Madam, 


Cybersecurity Fortification Initiative 2.0 


I am writing to inform authorized institutions (Als) of the introduction of 
Cybersecurity Fortification Initiative (CFI) 2.0 and the associated implementation 
timeline. 


The Hong Kong Monetary Authority (HKMA) has recently completed a review of 
the CFI, which was launched in 2016 to raise the cyber resilience of Hong Kong’s 
banking system. The initiative 1s underpinned by three pillars: (1) the Cyber 
Resilience Assessment Framework (C-RAF); (11) the Professional Development 
Programme (PDP); and (111) the Cyber Intelligence Sharing Platform (CISP). 


CFI 2.0 has been developed after extensive consultation with the banking industry. 
Many of the industry’s comments received during the consultation have been taken 
on board. Changes have also been made to reflect the latest developments in 
overseas cyber practices. Specifically, recent international sound practices on cyber 
incident response and recovery have been incorporated into the enhanced control 
principles under C-RAF. As regards the PDP, the certification list has been 
expanded to include equivalent qualifications in major overseas jurisdictions. The 
HKMA has also put forward a series of recommendations to the Hong Kong 
Association of Banks to make the CISP more user-friendly. More details of the 
enhancements to the CFI can be found in the Annex to this circular. 


CFI 2.0 will come into effect from 1 January 2021. The HKMA will continue to 
adopt a phased approach to the implementation of C-RAF 2.0. Specifically: 


(1) Als will be divided into three groups similar to those adopted for C-RAF 
1.0. Group 1 will cover all major retail banks, selected foreign bank 
branches and new Als which have not undertaken the C-RAF assessments 
before. The rest will be included in Group 2 or 3 depending on their scale 
of operation and cyber risk profile. The HKMA will inform Als individually 
of their assigned grouping. 


1 Available on the HKMA’s Supervisory Communication Website. 
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(11) The timeline for completing the C-RAF 2.0 assessments for the 3 groups of 
Als is as follows: 


Group | Group 2 Group 3 
Inherent Risk Assessment End-September End-June End-March 
and Maturity Assessment 2021 2022 2023 
iICAST (applicable to Als End-June End-March End-December 
with inherent risk level 2022 2023 2023 
assessed to be “medium” or 
“high”) 


Should you have any questions regarding the implementation schedule of C-RAF 
2.0, please contact Ms Connie Tse at 2597 0617 or Mr Jacky Lau at 2878 1578. For 
questions relating to CFI 2.0, please get into touch with the HKMA’s Fintech 
Facilitation Office via fintech@hkma.gov.hk. 


Yours faithfully, 


Raymond Chan 
Executive Director (Banking Supervision) 


Encl. 


